Tags:awareness, human factor, phishing and smart e-mail client
Abstract:
Phishing e-mails are constantly increasing their sophistication and typical countermeasures struggle at addressing them. Attackers target our cognitive vulnerabilities with a varied set of techniques and each of us, not trained enough or simply in the wrong moment, can be deceived and put an entire organization in trouble. To date, no study has evaluated the behavior of users when confronted with phishing e-mails characterized by a diverse set of features and attack strategies. We designed, implemented, and deployed a system comprising a web application to test user awareness about phishing, featuring a survey to identify the most interesting characteristics of users, and fueled by a large and varied set of test emails engineered to solicit the several possible cognitive vulnerabilities we all have. We describe in details the design and implementation choices, the lessons we learned, and the way we filled the gap in the available related work. We then use real data from our first 500 users to show how data collected can be used for several important analyses, including which characteristics of the e-mails are more relevant for which cognitive vulnerability of specific groups of users. Results obtained can guide the development of novel email clients as well as tailored training programmes. Data collected is available to the scientific community for conducting further studies on the important and still unsolved issue of e-mail phishing.
The Human Factor in Phishing: Collecting and Analyzing User Behavior When Reading E-Mails